[CLSA-2026:1776684555] Fix CVE(s): CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390

Type:

security

Severity:

Important

Release date:

2026-04-20 11:29:21 UTC

Description:

   * SECURITY UPDATE: use-after-free in DANE client code
     - debian/patches/openssl-1.1.1-cve-2026-28387.patch: use X509_free()
       instead of OPENSSL_free() to properly release reference-counted X509
       objects in dane_match()
     - CVE-2026-28387
   * SECURITY UPDATE: NULL pointer dereference in delta CRL processing
     - debian/patches/openssl-1.1.1-cve-2026-28388.patch: add NULL check for
       delta->crl_number before dereferencing in check_delta_base()
     - CVE-2026-28388
   * SECURITY UPDATE: NULL pointer dereference in CMS KeyAgreeRecipientInfo
     - debian/patches/openssl-1.1.1-cve-2026-28389.patch: use safe
       X509_ALGOR_get0() extraction in dh_cms_set_shared_info() and
       ecdh_cms_set_shared_info()
     - CVE-2026-28389
   * SECURITY UPDATE: NULL pointer dereference in CMS KeyTransportRecipientInfo
     - debian/patches/openssl-1.1.1-cve-2026-28390.patch: use safe
       X509_ALGOR_get0() extraction and OPENSSL_memdup() for label data in
       rsa_cms_decrypt()
     - CVE-2026-28390

Updated packages:

alt-openssl_1.1.1w-3.4_amd64.deb
sha:5e7ceac6612ce88db72b18986cb4bdff71494671
alt-openssl-dev_1.1.1w-3.4_amd64.deb
sha:03a5c3cb3dfdd8c33514c8160fb12f051ba6a751
alt-openssl-doc_1.1.1w-3.4_all.deb
sha:1f25e34be77a00a778385e7a2f379fbe07751581
alt-openssl-libs_1.1.1w-3.4_amd64.deb
sha:5102275498e0a7cface5805f70a977c69939460d

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.